excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
firstname.lastname@example.org. If you're dying to order the book, send
mail to the same address.
And what about the “hard” option – just plain regulating? You know, just putting network security requirements into the Federal Register?
We couldn’t ignore that option, I thought. In fact, a lot of the most critical industries were already subject to government regulation. These included financial institutions, energy, and telecommunications. And some of these industries were already subject to cybersecurity regulation. Financial institutions, for example, must follow a unified set of cybersecurity rules. But even financial regulators don’t require particular security measures. The rules are largely procedural, resembling the instructions on a bottle of shampoo: Institutions must study their vulnerabilities, cure them, assess the effectiveness of the cure, and repeat.
It’s hard to write rules that go beyond such procedural steps, because the attackers change tactics faster than regulations can be amended. What's more, the cost of mandatory security would be very high; it would slow innovation and productivity growth severely.
Even so, there's a case for mandating particular security measures for regulated industries. It’s the Howard Crank problem all over again. Every year, the exponential growth of information technology makes our lives a little better, our businesses a little more efficient and profitable. And every year it leaves us a little more vulnerable to a military strike on our infrastructure that could leave us without power, money, petroleum, or communications for months.
Large parts of the country could find themselves living like post-Katrina New Orleans -- but without the National Guard over the horizon. That risk isn’t part of most companies’ balance sheet. It’s not hard to see that as the kind of market failure that requires regulation.
But even if there is a market failure, the government still isn’t well-equipped to solve it. At a minimum, the regulatory agencies would have to find a way to coordinate and issue standards much faster than they now write regulations. Today, the practical speed limit is eighteen months from new idea to final rule. There's not much point in replacing a predictable market failure with an equally predictable government failure.
And what about all the vulnerable IT networks that are not in the hands of regulated industries? If they are compromised, the harm goes beyond the users of those networks. The compromised machines can be used to attack others, including government systems. To set standards in that world would certainly require new legislation.
Industry, we knew, wouldn’t like any talk about regulation. But they were fighting the last war. New security legislation had in fact already been enacted, though in an odd, and mostly unfortunate, way. Laws have been adopted in all but five states that require companies to disclose any security breaches that lead to the disclosure of sensitive customer data. The more the federal government has dithered over security rules for industry, the more aggressively the states have moved into the opening. Their breach notification laws are becoming de facto security regulations for all companies. First, they punish bad security by forcing companies who are compromised to admit that fact, as long as some personal data was accessed. Second, in a crude way, they recognize that good security measures can make notification unnecessary, and that encourages companies to invest in technologies that are so recognized. For example, many state laws recognize that encrypted data may be safe even if the system it is stored on has been compromised. So, naturally, many companies have expanded their use of encryption to avoid embarrassing breach notifications.
The problem with these laws is that they don’t necessarily point companies in the direction of real security improvements. Because they only punish companies for breaches that disclose personal data, they have encouraged the companies to lock up or discard certain kinds of customer data – rather than focusing on keeping hackers out of their systems more broadly.
The problem is particularly acute in the area of stolen and lost laptops. Thousands of business laptops are lost or stolen every day. Usually, the thief wants the laptop, not the data. But if there is personal data in the laptop, that data has technically been compromised, thus forcing companies to send embarrassing notices to everyone whose data was in the computer. After a few such cases, companies begin to divert their security budget to double-locking laptop drives with passwords and encryption. Those measures won’t keep Ghostnet out of their networks, but they get the highest investment priority because of the peculiarities of state law.
By the same token, state laws expressly recognizing encryption of data as a defense have artificially heightened the priority that security offices assign to the deployment of encryption, even though it too would have done little to block a sophisticated attack. There are plenty of measures other than encryption that may be equally effective at providing a defense in depth, but state legislatures have not been able to draft laws that reward more comprehensive security.
Finally, state laws vary substantially, creating great tension for law-abiding companies, which find they cannot actually comply with all of the different laws. For all those reasons, we noted, there is growing support for a federal law that would set a single breach disclosure standard. We thought that such a law could also create incentives for higher cybersecurity standards. In fact, replacing inconsistent state notification laws with a security-minded federal law would be a victory for both security and innovation.